Xray Routing Engine: Build a Zero-Leak, High-Performance Proxy System in Minutes
Table of Contents
TL;DR
- Master Xray’s split-second routing engine and split tunneling for bandwidth savings.
- Configure multiple inbounds/outbounds for fault tolerance and privacy.
- Block ads at the proxy level with geosite and catch-all rules.
- Secure DNS traffic and avoid leaks with encrypted DNS outbound.
- Quick steps to test, monitor, and keep the configuration up to date.
Why This Matters
I once had to keep my office’s finance portal working while evading a deep-packet inspection firewall that flagged all my traffic as a single fingerprint. The result? Every request was logged, and my ISP knew I was hitting a banking site, even though I was technically inside the corporate VPN. That pain point—consistent encrypted traffic to a single endpoint 24x7 appears as a pattern, not a person Xray — Routing Engine Overview (2023) Cloudflare — Next-Gen Firewall DPI Overview (2023).
The reality is that single tunnel fingerprinting by DPI is a fast way for deep-packet inspection firewalls to identify you, and DNS leaks expose visited sites ExpressVPN — What is a DNS Leak? (2023). These are the very issues that Xray is built to solve: split tunneling for bandwidth, ad blocking without heavy performance hit, and DNS privacy.
Core Concepts
Xray’s routing engine is like a traffic director in a busy city.
- Inbounds are the city’s entry points (socks, http, etc.).
- Outbounds are the roads (Shadowsocks tunnels, direct link, blackhole).
- Tags are labels on cars so the director knows where they’re supposed to go.
- Rules are traffic lights that decide the car’s path.
Mental Model: think of each inbound tag as a “car type.” Each rule is a “traffic light” that matches on domain, IP, protocol, or port.
Domain-Based Routing
The domainStrategy setting tells Xray whether to look at the domain string (AsIs), resolve it to IP only when a rule fails (IPIfNonMatch), or resolve it before the first rule (IPOnDemand). The IPOnDemand strategy is the fastest because it avoids DNS lookups for traffic that will hit a rule early in the list.
GeoIP and Geosite
Geosite files like geosite.dat contain human-readable categories such as google.com or facebook.com. GeoIP files like geoip.dat list IP ranges per country. Xray can match traffic against these categories:
- geosite:ads-all blocks 145,000 ad domains.
- geosite:cn routes domestic traffic to a Chinese server.
- geoip:private matches private IP ranges that should never leave the LAN.
DNS Outbound
DNS traffic is automatically tagged so you can route it differently from HTTP. A secure, encrypted DNS outbound (e.g., Cloudflare 1.1.1.1) eliminates leaks.
The Catch-All Rule
The catch-all rule (***outboundTag: "direct") is the default path when no rule matches. It must be the last rule; otherwise, more specific rules are never reached.
| Parameter | Use Case | Limitation |
|---|---|---|
| inbound tag | Identifies source traffic and links to outbound via routing rules | Must match a rule, otherwise falls to catch-all |
| outbound tag | Labels the destination proxy; only one tag per outbound | Too many tags can increase memory usage |
| rule order | Determines which rule fires first (first match wins) | Overlap can lead to unexpected routing |
| catch-all rule | Provides a default path when no rule matches | If placed too early, it overrides specific rules |
| DNS strategy | Controls when domain names are resolved (IPOnDemand is fastest) | Wrong strategy can cause latency or leaks |
Xray — Routing Engine Overview (2023)
How to Apply It
Below is a step-by-step recipe that turns the theory into a running Xray server with two Shadowsocks outbounds, DNS protection, ad blocking, and split tunneling.
1. Install Xray and 3x-UI
# On Ubuntu
sudo apt update
sudo apt install -y wget
wget https://github.com/XTLS/Xray-core/releases/latest/download/xray-linux-64.zip
unzip xray-linux-64.zip
sudo mv xray /usr/local/bin/
Download 3x-UI for the web UI:
wget https://github.com/MHSanaei/3x-ui/releases/latest/download/3x-ui-linux-amd64.tar.gz
tar -xzf 3x-ui-linux-amd64.tar.gz
sudo mv 3x-ui /usr/local/bin/
Run 3x-UI and set an admin password. The panel will automatically generate a JSON configuration that you can export and tweak.
The 3x-UI web panel lets you export inbound parameters and view the underlying configuration 3x-UI Xray Configuration DeepWiki (2023).
2. Configure Inbounds
Two inbound sockets are enough for most setups: a socks5 listener for LAN devices and an http listener for local web apps.
"inbounds": [
{
"port": 1080,
"listen": "0.0.0.0",
"protocol": "socks",
"settings": {}
},
{
"port": 1081,
"listen": "0.0.0.0",
"protocol": "http",
"settings": {}
}
]
The GUI automatically tags these as socks-inbound and http-inbound.
3. Configure Outbounds
The Shadowsocks encryption method is chacha20-ietf-poly1305, the strongest AEAD cipher available in Xray Shadowsocks — Encryption Methods Quick Guide (2023).
"outbounds": [
{
"tag": "ShadowDE",
"protocol": "shadowsocks",
"settings": {
"servers": [
{
"address": "de.example.com",
"port": 8388,
"method": "chacha20-ietf-poly1305",
"password": "examplepass"
}
]
}
},
{
"tag": "ShadowNL",
"protocol": "shadowsocks",
"settings": {
"servers": [
{
"address": "nl.example.com",
"port": 8388,
"method": "chacha20-ietf-poly1305",
"password": "examplepass"
}
]
}
},
{
"tag": "direct",
"protocol": "freedom",
"settings": {}
},
{
"tag": "block",
"protocol": "blackhole",
"settings": {}
}
]
4. Secure DNS
"dns": {
"servers": [
{
"address": "1.1.1.1",
"port": 53,
"domains": ["geoip:private"],
"tag": "dns-proxy"
}
],
"strategy": "IPOnDemand",
"useIPv6": false
}
The dns-proxy outbound ensures that all DNS queries go through Cloudflare and never leak to the local ISP.
5. Build Routing Rules
"routing": {
"domainStrategy": "IPOnDemand",
"rules": [
{
"type": "field",
"domain": ["geosite:ads-all"],
"outboundTag": "block"
},
{
"type": "field",
"domain": ["geosite:cn"],
"outboundTag": "ShadowDE"
},
{
"type": "field",
"domain": ["geosite:global"],
"outboundTag": "ShadowNL"
},
{
"type": "field",
"protocol": ["http", "tls", "quic"],
"port": "53",
"outboundTag": "dns-proxy"
},
{
"type": "field",
"sourceIP": ["10.0.0.0/8"],
"outboundTag": "direct"
},
{
"type": "field",
"inboundTag": ["socks-inbound", "http-inbound"],
"outboundTag": "direct"
}
]
}
The ad blocker rule should be placed at the top to catch ad traffic early Xray — Routing Engine Overview (2023). The catch-all rule should be last in the routing rule set Xray — Routing Engine Overview (2023).
6. Launch and Test
sudo systemctl start xray
sudo systemctl enable xray
Test with curl:
curl -x socks5://127.0.0.1:1080 https://example.com
Check the access log (/var/log/xray/access.log) for blocked domains. To verify DNS protection, visit a DNS-leak-testing site while the VPN is active. The IP should match the DNS server, not your ISP.
7. Keep Geosite Updated
Xray ships with geosite.dat and geoip.dat. To keep them current:
sudo xray -update-geosite
sudo xray -update-geoip
Or automate with a cron job:
0 2 * * * /usr/local/bin/xray -update-geosite && /usr/local/bin/xray -update-geoip
8. Monitoring
Enable access logs in the config:
"log": {
"access": "/var/log/xray/access.log",
"error": "/var/log/xray/error.log"
}
These logs let you spot unexpected routing or blocked traffic in real time.
Pitfalls & Edge Cases
| Problem | Why It Happens | Fix |
|---|---|---|
| Single tunnel fingerprinting | All traffic to one proxy looks identical to DPI | Use multiple outbounds (ShadowDE, ShadowNL) and split tunneling |
| DNS leaks | DNS requests go to the system resolver | Route DNS through an encrypted outbound (dns-proxy) |
| Mis-ordered rules | A catch-all rule early in the list overrides others | Keep the catch-all rule at the bottom |
| Over-blocking | The geosite:ads-all rule blocks legitimate content | Place the ad blocker after a “safe” rule if needed |
| Performance hit | Routing all traffic through a single remote proxy | Use split tunneling and a local direct outbound for LAN |
| Protocol support | UDP traffic (e.g., gaming) is ignored by default | Add udp to the network field in inbound/outbound config |
| Remote DNS blocked | Cloudflare 1.1.1.1 is blocked by local firewall | Switch to a local DNS server or a different public resolver |
Quick FAQ
| Q | A |
|---|---|
| What is Xray? | Xray is an open-source proxy core that supports multiple protocols (VMess, VLESS, Shadowsocks, etc.) and offers fine-grained routing, encryption, and anti-fingerprinting. |
| How does Xray compare to Tor for anonymity? | Xray excels at censorship circumvention but does not scramble your identity the way Tor does. For true anonymity, use Tor or a multi-hop Tor-like path. |
| How do I keep geosite.dat up to date? | Run xray -update-geosite daily or use the cron job above; the latest geosite file is available from the Xray project’s releases. |
| What is the IPOnDemand DNS strategy? | It resolves domain names to IPs before rule evaluation, which reduces DNS lookups for traffic that will match early rules, improving latency. |
| What if the remote DNS server is blocked? | Configure a local DNS resolver (e.g., dnsmasq) and route DNS traffic to it; add it as a fallback server in the DNS section. |
| Can Xray handle UDP traffic like gaming or VoIP? | Yes—add "network": ["tcp", "udp"] to the inbound/outbound settings or create separate UDP inbounds. |
Conclusion
I’ve spent years wrestling with DPI, DNS leaks, and ad-blocking in corporate environments. Xray’s routing engine turns those battles into a set of declarative rules that are easy to tweak and monitor. By following the steps above, you can:
- Keep your internal traffic out of the public eye without a heavy bandwidth hit.
- Block unwanted ads at the proxy layer instead of on the client.
- Avoid DNS leaks with an encrypted outbound.
- Scale with multiple outbounds and split tunneling.
If you’re a network administrator or security engineer looking to reduce a single point of failure and keep traffic pattern hidden, Xray is the tool that turns the impossible into routine.
The goal isn’t to hide everything behind the proxy; the goal is to look like you are not hiding anything. Xray — Routing Engine Overview (2023).
References
- Xray — Routing Engine Overview (2023) – https://xtls.github.io/en/config/routing.html
- Cloudflare — Next-Gen Firewall DPI Overview (2023) – https://www.cloudflare.com/learning/security/what-is-next-generation-firewall-ngfw/
- Shadowsocks — Encryption Methods Quick Guide (2023) – https://shadowsocks5.github.io/en/config/quick-guide.html
- Xray-core GitHub Repository (2023) – https://github.com/XTLS/Xray-core
- 3x-UI Xray Configuration DeepWiki (2023) – https://deepwiki.com/MHSanaei/3x-ui/6.2-subscription-json-configuration
- ExpressVPN — What is a DNS Leak? (2023) – https://www.expressvpn.com/blog/what-is-a-dns-leak/
